Distributed computing system and method

ABSTRACT

The invention relates to distributed processing systems that involve the distribution of computational tasks to one or more untrusted worker computer systems. When an untrusted worker computer system performs a calculation on behalf of a requesting computer system, the requesting computer system (or other verifying computer system) is provided with information that allows the requesting computer system to cryptographically verify that that task has been correctly completed. After completing the calculation, the worker computer system provides information to the requester that includes a proof and I/O data. The requesting computer system may use a set of public verification key parameters, the proof, and the I/O data to verify that the computation performed by an untrusted worker computer system is correct. In some examples, the calculation performed by the worker is associated with the verification of a blockchain transaction. For example, the verification of the computation performed by the untrusted worker computer system may occur as part of validating a transaction on a blockchain node.

FIELD OF INVENTION

This invention relates generally to the operation of distributed computing systems, and more particularly to methods and systems for cryptographically verifying the correct completion of computing tasks that are distributed to and performed by a third party computer system. Some embodiments of the invention may be particularly suited, but not limited to, use in blockchain systems.

BACKGROUND OF INVENTION

In this document the term “blockchain” refers to any of several types of electronic, computer-based, distributed ledgers. These include consensus-based blockchain and transaction-chain technologies, permissioned and unpermissioned ledgers, shared ledgers and variations thereof. The most widely known application of blockchain technology is the Bitcoin ledger, although other blockchain implementations have been proposed and developed. While the example of Bitcoin may be referred to in the present disclosure, for the purpose of convenience and illustration, it should be noted that the invention is not limited to use with the Bitcoin blockchain, and alternative blockchain implementations and protocols fall within the scope of the present invention. For example, the invention can be useful in other blockchain implementations that have limitations similar to Bitcoin regarding what constraints can be encoded within transactions.

A blockchain is a peer-to-peer, electronic ledger that is implemented as a computer-based decentralised, distributed system made up of blocks, which, in turn, are made up of transactions and other information. For example, with Bitcoin, each transaction is a data structure that encodes the transfer of control of a digital asset between participants in the blockchain system, and includes at least one input and at least one output. In some embodiments, a “digital asset” refers to binary data that is associated with a right to use. Examples of digital assets include Bitcoin, ether, and Litecoins. In some implementations, transferring control of a digital asset can be performed by reassociating at least a portion of a digital asset from a first entity to a second entity. Each block contains a hash of the previous block so that blocks become chained together to create a permanent, immutable record of all transactions that have been written to the blockchain since its inception.

Transactions contain small programs known as scripts embedded into their inputs and outputs that specify how and by whom the outputs of the transactions can be accessed. On the Bitcoin platform, these scripts are written using a stack-based scripting language.

In general, before transaction is written to the blockchain, the transaction is “validated”. Network nodes (miners) perform work to ensure that each transaction is valid, with invalid transactions rejected from the network. A node can have standards for validity different from other nodes. Because validity in the blockchain is consensus based, a transaction is considered valid if a majority of nodes agree that a transaction is valid. Software clients installed on the nodes perform this validation work on transactions referencing an unspent transaction (UTXO) in part by executing the UTXO locking and unlocking scripts. If execution of the locking and unlocking scripts evaluates to TRUE and other validation conditions, if applicable, are met, the transaction is validated by the node. The validated transaction is propagated to other network nodes, whereupon a miner node can select to include the transaction in a blockchain. Thus, in order for a transaction to be written to the blockchain, it must be i) validated by the first node that receives the transaction—if the transaction is validated, the node relays it to the other nodes in the network; and ii) added to a new block built by a miner; and iii) mined, i.e., added to the public ledger of past transactions. The transaction is considered to be confirmed when a sufficient number of blocks is added to the blockchain to make the transaction practically irreversible.

Although blockchain technology is most widely known for the use of cryptocurrency implementation, digital entrepreneurs have begun exploring the use of both the cryptographic security system Bitcoin is based on and the data that can be stored on the blockchain to implement new systems. It would be highly advantageous if the blockchain could be used for automated tasks and processes which are not limited to the realm of cryptocurrency. Such solutions would be able to harness the benefits of the blockchain (e.g., a permanent, tamper proof records of events, distributed processing etc.) while being more versatile in their applications.

One area of current research is the use of the blockchain for the implementation of “smart contracts”. Smart contracts are computer-implemented systems that automate the execution and/or confirmation of the terms of a contract or agreement stored in a machine-readable format. Unlike a traditional contract which would be written in natural language, a smart contract is a machine-readable description of terms and conditions that can be processed by a computer system to produce results, which can then cause actions to be performed dependent upon those results.

Another area of blockchain-related interest is the use of ‘tokens’ (or ‘coloured coins’) to represent the transfer of real-world entities via the blockchain. A potentially sensitive or secret item can be represented by the token which has no discernable meaning or value. The token thus serves as an identifier that allows the real-world item to be referenced from the blockchain.

In embodiments, a smart contract is “smart” in the sense that the creator, or some other specific entity, is not tasked with enforcement and/or execution of the smart contract. That is, although interaction with specific entities can be encoded at specific steps in the smart contract, the smart contract can otherwise be automatically executed and self-enforced. It is machine readable and executable. In some examples, automatic execution refers to any entity being able to unlock the UTXO and having an incentive (e.g., reward) to do so. Note that in such examples, the “any entity” that is able to unlock the UTXO refers to an entity that is able to create the unlocking script without being required to prove knowledge of some secret. In other words, the unlocking transaction can be validated without verifying that the source of the data has access to a cryptographic secret (e.g., private asymmetric key, symmetric key, etc.). Also, in such examples, self-enforcement refers to the validation nodes of the blockchain network being caused to enforce the unlocking transaction according to the constraints. In some examples, “unlocking” a UTXO refers to creating an unlocking transaction that references the UTXO and executes as valid. This may sometimes be referred to as “spending” the transaction.

A blockchain transaction output includes a locking script and information regarding ownership of digital assets such as Bitcoins. The locking script, which may also be referred to as an encumbrance, “locks” the digital assets by specifying conditions that are required to be met in order to unlock the output. For example, a locking script could require that certain data be provided in an unlocking script to unlock the associated digital assets. The locking script is also known as “scriptPubKey” in Bitcoin. A technique for requiring a party to provide data to unlock a digital asset involves embedding a hash of the data inside the locking script. However, this presents a problem if the data is undetermined (e.g., not known and fixed) at the time the locking script is created.

SUMMARY OF INVENTION

Thus, it is desirable to provide methods and systems that improve distributed computing systems in one or more of these aspects. Such an improved solution has now been devised.

Thus, in accordance with the present invention there is provided a method as defined in the appended claims.

Thus, it is desirable to provide a computer-implemented method, the computer-implemented method comprising providing a task to a set of independent computer systems which are able to compete to provide the outcome of the provided task, the task specifying a computation to perform, and verifying, at a verifying computer system, that the computation is correctly performed by a worker computer system in the set of independent computer systems, the computation based on a circuit having a set of multiplication gates, by at least: generating an evaluation key; providing the evaluation key to the worker computer system; receiving a proof from the worker computer system, the proof based at least in part on the evaluation key; and generating a verification key; and verifying that the computation is correct using the proof and the verification key.

The verification key may be based on one or more of the inputs to the set of multiplication gates and the outputs of the set of multiplication gates. In an embodiment, the verification key is a public verification key, and the public verification key may be published by a computer system.

The proof may be based at least in part on a set of intermediate outputs of the multiplication gates. In an embodiment, the set of intermediate outputs excludes the final output of the circuit.

The proof may be based at least in part on a public evaluation key.

The proof and the verification key may be based at least in part on a first generator and a second generator that generate different groups.

Preferably, the method may also include verifying that elements of the proof are consistent with elements of the evaluation key. In an embodiment, the evaluation key may be determined as follows, where i represents the index to the internal wires of the circuit, deg(t) is the degree of the polynomial t(x), and deg(t) is equal to the number of multiplication gates in the circuit.:

${{Public}\mspace{14mu} {Evaluation}\mspace{14mu} {Key}\mspace{14mu} E_{K}} = \begin{Bmatrix} {r_{v}{v_{i}(s)}} \\ {\alpha_{v}r_{v}{v_{i}(s)}} \\ {r_{w}{w_{i}(s)}} \\ {\alpha_{w}r_{w}{w_{i}(s)}} \\ {r_{y}{y_{i}(s)}} \\ {\alpha_{y}r_{y}{y_{i}(s)}} \\ {\left( {{r_{v}\beta \; {v_{i}(s)}} + {r_{w}\beta \; {w_{i}(s)}} + {r_{y}\beta \; {y_{i}(s)}}} \right)} \\ {s^{j}} \end{Bmatrix}_{\begin{matrix} {i = {N + {1\ldots \; m}}} \\ {j = {0\ldots \; {\deg {(t)}}}} \end{matrix}}$

Preferably, the method may also include verifying that the elements of the proof are constructed using matching coefficients. In an embodiment, matching coefficients are confirmed for Vmid(s)P, Wmid(s)Q and Ymid(s)P as follows:

e(r _(v) V _(mid)(s)

+r _(y) Y _(mid)(s)

, βQ)·e(β

, r _(w) W _(mid)(s)Q)=e(Z _(mid)(s)

, Q)

-   -   and Z_(mid)(s)=Σ_(i=N+1)         ^(m)a_(i)(r_(v)βv_(i)(s)+r_(w)βw_(i)(s)+r_(y)βY_(i)(s)).

Preferably, the method may also include verifying a divisibility requirement on a term of the proof In an embodiment, a verifying entity confirms that the divisibility requirement is satisfied by confirming that:

e(r _(v) V(s)

, r _(w) W(s)Q)=e(r _(y) Y(s)

, Q)·e(r _(y) t(s)

, h(s)Q)   [5]

-   -   where r_(v)V(s)         =Σ_(i=0) ^(m)r_(v)r_(v)a_(i)v_(i)(s)         , r_(w)W(s)Q=Σ_(i=0) ^(m)r_(w)r_(w)a_(i)w(s)Q, r_(y)Y(s)         =Σ_(i=0) ^(m)r_(y)a_(i)y(s)         , and h(s)Q=Σ_(i=0) ^(d)h_(i)Q.

The worker computer system may provide a set of I/O values corresponding to input and output values of the circuit. In an embodiment, the I/O data is the input and outputs of a function being evaluated by the worker computer system.

The circuit may include one or more addition gates which are modelled with their contributions to the multiplication gates. In an embodiment, the circuit can be viewed as a set of multiplication and addition gates where the circuit contains m wires connected to d multiplication gates, and addition gates are modelled with their contributions to the multiplication gates.

The computation may be part of a bitcoin transaction validation or, in additional embodiments, the computations may be part of a blockchain transaction validation.

Verifying that the computation is correct may be accomplished by at least providing the proof, the verification key, and a set of I/O values to a verification computer system, and receiving an indication from the verification computer system that the computation is correct. In an embodiment, the indication may be a cryptographically verifiable indication that the computation is correct such as a digital signature generated with a key associated with the verification computer system.

The verification computer system may be a blockchain node or a bitcoin node.

It is also desirable to provide a system, comprising: a processor; and memory including executable instructions that, as a result of execution by the processor, causes the system to perform any of the methods as claimed.

It is also desirable to provide a non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least perform any of the methods as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other aspects of the present invention will be apparent from and elucidated with reference to, the embodiment described herein. An embodiment of the present invention will now be described, by way of example only and with reference to the accompanying drawings, in which:

FIG. 1 illustrates a blockchain environment in which various embodiments can be implemented;

FIG. 2 is a swim diagram that illustrates an example of a process that, if performed by a client computer system and a worker computer system, allows the client to verify work performed by the worker using a proof it and the Verification Key VK in accordance with an embodiment;

FIG. 3 illustrates an example of a circuit that represents an arithmetic function in accordance with an embodiment;

FIG. 4 is a flowchart that illustrates an example of a process that, if performed by a client computer system, determines a verification key VK in accordance with an embodiment;

FIG. 5 is a flowchart that illustrates an example of a process that, if performed by a client computer system, verifies a computation performed by a worker computer system using Proof π in accordance with an embodiment; and

FIG. 6 illustrates a computing environment in which various embodiments can be implemented.

DETAILED DESCRIPTION

In a distributed computing environment, a single task may be divided into a plurality of sub-tasks, which may be distributed amongst a plurality of computer systems for execution. Each of the plurality of computer systems may perform one or more of the sub-tasks. In various examples, the results produced by the individual computer systems are accumulated and aggregated by a coordinating computer system to produce a result for the original single task. Therefore, in many embodiments, the coordinating computer system has an interest in determining that each of the sub-tasks is correctly executed so that the result produced for the original single task is correct. This is particularly problematic if the individual computer systems to which the sub-tasks are distributed are not entirely trusted by the coordinating computer system. The system and method described in the present document allows a verifying computer system to cryptographically verify the work performed by another computer system, even though the other computer system may be an un-trusted computer system. This allows the coordinating computer system to distribute work to a broader set of computer systems that are not necessarily trusted, since the work produced can be cryptographically verified without reproducing the distributed sub-tasks.

The present document describes the process by which the work of an untrusted worker computer system may be verified by way of various examples. In some embodiments, the work distributed to the worker computer system can be viewed as a portion of a logical circuit, and verifying the work associated with some or all of that circuit allows a verifier to proceed with other subtasks related to the logical circuit. In some implementations, information related to the performance and verification of the subtasks is exchanged using a blockchain. However, the methods described herein are applicable to any distributed computing environment where a verifying entity is required to confirm the work performed by one or more un-trusted computer systems.

The following notations may be used in the present document. Mathematical groups may be represented using double-struck

letter, e.g.

₁, and group generators may be denoted by script letters, e.g.

. For example, given a group

₁, if

=G₁ we may recite that

generates

₁.

Double-struck

letters may be used to represent fields. For example,

_(p) may be used to represent the finite field of characteristic p and

_(p) _(k) may be used to denote the extension field of degree k of

_(p) where k is a non-zero integer. The subset

\{0} consisting of non-zero elements may be written as

*. In another example, for a prime number p,

_(p)={0,1,2, . . . p−2, p −1} and

_(p)*={1,2, . . . , p −2, p −1}. In another example where E is an elliptic curve over the finite field

_(p) (resp.

_(p) _(k) ), an abelian subgroup of order r of E(

_(p))[r] (resp. E(

_(p) _(k) )[r]) may be written as E(

_(p))[r] (resp. E(

_(p) _(k) )[r]). An element x being sampled at random from a set X may be represented as

The notation e:

₁×

₂→

_(T) may be used to represent an efficient computable bilinear map where

₁,

₂, and

_(T) are cyclic groups of the same prime order r.

₁ and

₂ are additive groups,

_(T) is a multiplicative group. Arithmetic operations are performed modulo r.

The present document describes one or more embodiments that make use of a Quadratic Arithmetic Program (“QAP”). In various embodiments, general computations are encoded over a field

of prime order r, into a set of polynomial operations. In an example, a QAP contains a tuple=({v_(i)}_(i=0) ^(m), {w}_(i=0) ^(m), {y}_(i=0) ^(m), t) , with v_(i), w_(i), y_(l), t ∈

_(r)[x] polynomials of degree deg(v_(i)) , deg(w_(i)) , deg(y_(l))<deg(t)=d. In reference to the previous example, the QAP may be described by reciting that the size of Q is m (m representing the number of internal wires), and that the degree of Q is the degree d of t, where d is the number of multiplication gates. In another example, let Q=({v_(i)}_(i=0) ^(m), {w_(i)}_(i=0) ^(m), {y_(i)}_(i=0) ^(m), t) be a QAP. A tuple (a₀, . . . , a_(m)) is a solution of Q if t divides (Σ_(i=0) ^(m),(x))·(Σ_(i=0) ^(m)a_(i)w_(i)(x))−(Σ_(i=0) ^(m)a_(i)y_(i)(x)) ∈

_(r)[x]. The polynomials {v_(i)}_(i=0) ^(m) encode the left input into each multiplication gate, the polynomials {w_(i)}_(i=0) ^(m) encode the right input into each multiplication gate, and the polynomial {y_(i)}_(i=0) ^(m) encodes the outputs.

Reference will first be made to FIG. 1, which illustrates an example blockchain network 100 associated with a blockchain in accordance with an embodiment of the present disclosure. In the embodiment, the example blockchain network 100 comprises blockchain nodes that are implemented as peer-to-peer distributed electronic devices, each running an instance of software and/or hardware that performs operations that follow a blockchain protocol that is, at least in part, agreed to among operators of nodes 102. In some examples, “nodes” refers to peer-to-peer electronic devices that are distributed among the blockchain network. An example of a blockchain protocol is the Bitcoin protocol.

In some embodiments, the nodes 102 can be comprised of any suitable computing device (e.g., by a server in a data centre, by a client computing device (e.g., a desktop computer, laptop computer, tablet computer, smartphone, etc.), by multiple computing devices in a distributed system of a computing resource service provider, or by any suitable electronic client device such as the computing-device 600 of FIG. 6). In some embodiments, the nodes 102 have inputs to receive data messages or objects representative of proposed transactions, such as a transaction 104. The nodes, in some embodiments, are be queryable for information they maintain, such as for information of a state of the transaction 104.

As shown in FIG. 1, some of the nodes 102 are communicatively coupled to one or more other of the nodes 102. Such communicative coupling can include one or more of wired or wireless communication. In the embodiment, the nodes 102 each maintain at least a portion of a “ledger” of all transactions in the blockchain. In this manner, the ledger would be a distributed ledger. A transaction processed by a node that affects the ledger is verifiable by one or more of the other nodes such that the integrity of the ledger is maintained.

As for which nodes 102 can communicate with which other nodes, it can be sufficient that each of the nodes in the example blockchain network 100 are able to communicate with one or more other of the nodes 102 such that a message that is passed between nodes can propagate throughout the example blockchain network 100 (or some significant portion of it), assuming that the message is one that the blockchain protocol indicates should be forwarded. One such message might be the publication of a proposed transaction by one of the nodes 102, such as node 102A, which would then propagate along a path such as a path 106. Another such message might be the publication of a new block proposed for inclusion onto a blockchain.

In an embodiment, at least some of the nodes 102 are miner nodes that perform complex calculations, such as solving cryptographic problems. A miner node that solves the cryptographic problem creates a new block for the blockchain and broadcasts the new block to others of the nodes 102. The others of the nodes 102 verify the work of the miner node and, upon verification, accept the block into the blockchain (e.g., by adding it to the distributed ledger of the blockchain). In some examples, a block is a group of transactions, often marked with a timestamp and a “fingerprint” (e.g., a hash) of the previous block. In this manner, each block may become linked to a previous block, thereby creating the “chain” that links the blocks in the blockchain. In embodiments, valid blocks are added to the blockchain by a consensus of the nodes 102. Also in some examples, a blockchain comprises a list of validated blocks.

In an embodiment, at least some of the nodes 102 operate as validating nodes that validate transactions as described in the present disclosure. In some examples, a transaction includes data that provides proof of ownership of a digital asset (e.g., a number of

Bitcoins) and conditions for accepting or transferring ownership/control of the digital asset. In some examples, a “unlocking transaction” refers to a blockchain transaction that reassociates (e.g., transferring ownership or control) at least a portion of a digital asset, indicated by an unspent transaction output (UTXO) of a previous transaction, to an entity associated with a blockchain address. In some examples, a “previous transaction” refers to a blockchain transaction that contains the UTXO being referenced by the unlocking transaction. In some embodiments, the transaction includes a “locking script” that encumbers the transaction with conditions that must be fulfilled before ownership/control can be transferred (“unlocked”).

In some embodiments, the blockchain address is a string of alphanumeric characters that is associated with an entity to which control of at least a portion of a digital asset is being transferred/reassociated. In some blockchain protocols implemented in some embodiments, there is a one-to-one correspondence between a public key associated with the entity and the blockchain address. In some embodiments, validation of transactions involves validating one or more conditions specified in a locking script and/or unlocking script. Upon successful validation of the transaction 104, the validation node adds the transaction 104 to the blockchain and distributes it to the nodes 102.

FIG. 2 is a swim diagram that illustrates an example of a process that, if performed by a client computer system and a worker computer system, allows the client to verify work performed by the worker using a proof it and the Verification Key VK in accordance with an embodiment. Some or all of a process 200 (or any other processes described, or variations and/or combinations of those processes) can be performed under the control of one or more computer systems configured with executable instructions and/or other data, and may be implemented as executable instructions executing collectively on one or more processors. The executable instructions and/or other data can be stored on a non-transitory computer-readable storage medium (e.g., a computer program persistently stored on magnetic, optical, or flash media).

For example, some or all of process 200 can be performed by one or more computing devices (e.g., by a server in a data centre, by a client computing device, by multiple computing devices in a distributed system of a computing resource service provider, or by any suitable electronic client device such as the computing device 600 of FIG. 6).

In various embodiments, the client computer system submits a calculation to be performed by the worker computer system. The worker computer system may not be fully trusted by the client computer system, and therefore, the worker computer system provides information that allows the client computer system or another trusted verification computer system to verify that the calculation performed by the worker computer system is correct. In many examples, the client does not fully trust the worker computer system, and therefore, in order to satisfy the client computer system, the worker computer system submits information that allows the client computer system to prove that the computation was performed correctly. In some embodiments, verification of the work performed by the worker computer system is performed by a verifying computer system that is trusted by the client computer system.

In various embodiments, public verification key parameters V_(K), the proof π, and the I/O data are used to verify the alleged proof of correct computation provided by an untrusted worker computer system. In various embodiments, a verifying computer system gathers materials used in the verification process from a client computer system and the untrusted worker computer system, and performs the verification on the client computer system's behalf. In an embodiment, the verification of the computation performed by the untrusted worker computer system occurs during validation of a transaction and therefore the verifying compute system can be any bitcoin node or blockchain node.

The process begins at block 202 with a client computer system identifying a function to be evaluated by the worker computer system. At block 204, the client computer system constructs an evaluation key EK for the function submitted to the worker computer system. At block 206, the client computer system generates a verification key V_(K) that can be used to verify the work performed by the worker computer system. At block 208, the client computer system submits the function and evaluation key E_(K) to the worker computer system.

In an embodiment, the construction of the public evaluation key E_(K) is accomplished as follows.

${{Public}\mspace{14mu} {Evaluation}\mspace{14mu} {Key}\mspace{14mu} E_{K}} = \begin{Bmatrix} {r_{v}{v_{i}(s)}} \\ {\alpha_{v}r_{v}{v_{i}(s)}} \\ {r_{w}{w_{i}(s)}} \\ {\alpha_{w}r_{w}{w_{i}(s)}} \\ {r_{y}{y_{i}(s)}} \\ {\alpha_{y}r_{y}{y_{i}(s)}} \\ {\left( {{r_{v}\beta \; {v_{i}(s)}} + {r_{w}\beta \; {w_{i}(s)}} + {r_{y}\beta \; {y_{i}(s)}}} \right)} \\ {s^{j}} \end{Bmatrix}_{\begin{matrix} {i = {N + {1\ldots \; m}}} \\ {j = {0\; \ldots \; {\deg {(t)}}}} \end{matrix}}$

In the above embodiment, i represents the index to the internal wires of the circuit, deg(t) is the degree of the polynomial t(x), and deg(t) is equal to the number of multiplication gates in the circuit. For the circuit shown in FIG. 3, the public evaluation key E_(K) is as follows:

${{Public}\mspace{14mu} {Evaluation}\mspace{14mu} {Key}\mspace{14mu} E_{K}} = \begin{Bmatrix} {r_{v}{v_{5}(s)}} \\ {r_{v}{v_{6}(s)}} \\ {\alpha_{v}r_{v}{v_{5}(s)}} \\ {\alpha_{v}r_{v}{v_{6}(s)}} \\ {r_{w}{w_{5}(s)}} \\ {r_{w}{w_{6}(s)}} \\ {\alpha_{w}r_{w}{w_{5}(s)}} \\ {\alpha_{w}r_{w}{w_{6}(s)}} \\ {r_{y}{y_{5}(s)}} \\ {r_{y}{y_{6}(s)}} \\ {\alpha_{y}r_{y}{y_{5}(s)}} \\ {\alpha_{y}r_{y}{y_{6}(s)}} \\ {\left( {{r_{v}\beta \; {v_{5}(s)}} + {r_{w}\beta \; {w_{5}(s)}} + {r_{y}\beta \; {y_{5}(s)}}} \right)} \\ {\left( {{r_{v}\beta \; {v_{6}(s)}} + {r_{w}\beta \; {w_{6}(s)}} + {r_{y}\beta \; {y_{6}(s)}}} \right)} \\ {s^{0}} \\ {s^{1}} \\ {s^{2}} \\ {s^{3}} \end{Bmatrix}$

At block 210, the worker computer system receives the evaluation key E_(K) and information describing the function to be performed from the client computer system. The worker computer system evaluates the function requested by the client computer system and constructs 212 a proof π that can be used to verify the calculation performed by the worker computer system. At block 214, the worker computer system provides the proof π and the I/O data of the calculation to the client computer system. In an embodiment, the I/O data is the input and outputs of the function being evaluated by the worker computer system.

At block 216, the client computer system receives the I/O data and the proof π from the worker computer system. At block 218, the client computer system verifies the computation performed by the worker computer system using elements from V_(K), π, and the I/O data.

Note that one or more of the operations performed in 202-218 may be performed in various orders and combinations, including in parallel.

Note that, in the context of describing disclosed embodiments, unless otherwise specified, use of expressions regarding executable instructions (also referred to as code, applications, agents, etc.) performing operations that “instructions” do not ordinarily perform unaided (e.g., transmission of data, calculations, etc.) denote that the instructions are being executed by a machine, thereby causing the machine to perform the specified operations.

In a paper titled “Quadratic Span Programs and Succinct NIZKs without PCPs” by Gennaro, R. et al. (2013), a protocol for verifiable computation based on quadratic arithmetic programs is described. In the protocol, a circuit takes as input n elements and produces an output of n′ elements for a total of N=n+n′ IO elements (or I/O data). The circuit can be viewed as a set of multiplication and addition gates where the circuit contains m wires connected to d multiplication gates, and addition gates are modelled with their contributions to the multiplication gates.

For the verifying entity to prove that an assignment (a₁, a₂, . . . , a_(N)) on input/output wires is valid, it suffices to prove that there exists coefficients (a_(N+1), . . . , a_(m)) corresponding to assignment on the internal wires, such that the polynomial p(x) has roots (x₁, x₂, . . . , x_(d)), i.e. p(x_(i))_(i)=1 . . . d=0. The polynomial p(x) encodes the gate equations and the wire values. Therefore, a polynomial exists h(x) where p(x)=h(x)·t(x), where t(x)=Π_(i=1) ^(d)(x−x_(i)).

If Q=({v_(i)}_(i=0) ^(m), {w_(i)}_(i=0) ^(m), {y_(i)}_(i=0) ^(m), t), to prove that t divides p=(Σ_(i=0) ^(m)a_(i)·v_(i)(x))·(Σ_(i=0) ^(m)a_(i)·w_(i)(x))−(Σ_(i=0) ^(m)a_(i)·y_(i)(x)), the prover computes the quotient polynomial

${h(x)} = \frac{p(x)}{t(x)}$

in an unknown point s and uses bilinear maps to check that p(s)=t(s)·h(s). In various examples, additional verification is performed to ensure that the worker computer system incorporates the input (a₁, a₂, . . . , a_(n)) correctly, and that the worker computer system generates the proof using the client's evaluation key E_(K).

Where

=(x₁, . . . , x_(d)) is the set of selected root values, the polynomials ({v_(i)}_(i=0) ^(m), {w_(i)}_(i=0) ^(m), {y_(i)}_(i=0) ^(m)) can be expressed as a summation of Lagrange polynomials, i.e.

${v_{i}(x)} = {\Pi_{{j = 1},{j \neq i}}^{d}{\frac{\left( {x - x_{j}} \right)}{\left( {x_{i} - x_{j}} \right)}.}}$

For generators

=

₁ and

Q

=

₂, the verification key V_(K) generated using random r_(v), r_(w), r_(y)=r_(v)·r_(w), s, α_(v), α_(w), α_(y), β, γ ∈

*_(r) is:

${{Public}\mspace{14mu} {Verification}\mspace{14mu} {Key}\mspace{14mu} V_{K}} = \begin{Bmatrix}  \\ Q \\ {\alpha_{v}Q} \\ {\alpha_{w}Q} \\ {\alpha_{w}} \\ {\alpha_{y}Q} \\ {\beta } \\ {\beta Q} \\ {r_{y}{t(s)}} \\ {r_{v}{v_{i}(s)}} \\ {r_{w}{w_{i}(s)}Q} \\ {r_{y}{y_{i}(s)}} \end{Bmatrix}_{i = {0{\ldots N}}}$

The proof contains the following elements:

${{Proof}\mspace{14mu} } = \begin{Bmatrix} {\sum_{i = N + 1}^{m}{a_{i}r_{v}{v_{i}(s)}}} & \; \\ {\sum_{i = N + 1}^{m}{a_{i}\alpha_{v}r_{v}{v_{i}(s)}}} & \; \\ {\sum_{i = N + 1}^{m}a_{i}r_{w}w_{i}(s)Q} & \; \\ {\sum_{i = N + 1}^{m}{a_{i}\alpha_{w}r_{w}{w_{i}(s)}}} & \; \\ {\sum_{i = N + 1}^{m}{a_{i}r_{y}{y_{i}(s)}}} & \; \\ {\sum_{i = N + 1}^{m}{a_{i}\alpha_{y}r_{y}{y_{i}(s)}}} & \; \\ {\sum_{i = {N + 1}}^{m}{a_{i}\left( {r_{v}\beta {v_{i}\left( {{\left. s \right){+ {r_{w}\beta {w_{i}(s)}}}} + {r_{y}{{\beta y}_{i}(s)}}} \right)}} \right.}} & \; \\ {\sum_{i = 0}^{d}h_{i}s^{i}Q} & \; \end{Bmatrix}$

In an embodiment where V_(K), π, and (a₁, a₂, . . . , a_(N)), the verifying computer system verifies that t(x) divides p(x) and hence (x_(N+1), . . . , x_(m))=f (x₀, . . . , x _(N)) as follows. First the verifying computer system checks the three a terms by confirming that:

e(α_(v) r _(v) v _(mid)(s)

, Q)=e(r _(v) v _(mid)(s)

, α_(v) Q)   [1]

e(α_(w) r _(w) W _(mid)(s)

, Q)=e(α_(w)

, r _(w)v_(mid)(s)Q)   [2]

e(α _(y) r _(y) Y _(mid)(s)

, Q)=e(r _(y) Y _(mid)(s)

, α_(y) Q)   [3]

where V_(mid)(s)=Σ_(i=N+1) ^(m)a_(i)v_(i)(s), W_(mid)(s)=Σ_(i=N+1) ^(m)a_(i)w_(i)(s), and Y_(mid)(s)=Σ_(i=N+1) ^(m)a_(i)y_(i)(s). Then, the verifying computer system checks the term β by confirming that:

e(r _(v) V _(mid)(s)

+r_(y) Y _(mid)(s)

, βQ)·e(β

, r_(w)W_(mid)(s)Q)=e(Z _(mid)(s)

, Q)   [4]

-   -   and Z_(mid)(s)=Σ_(i=N+1)         ^(m)a_(i)(r_(v)βv_(i)(s)+r_(w)βw_(i)(s)+r_(y)βy_(i)(s)).

In addition, the verifier confirms that the divisibility requirement is satisfied by confirming that:

e(r _(v) V(s)

, r _(w) W(s)Q)=e(r _(y) Y(s)

, Q)·e(r _(y) t(s)

, h(s)Q)   [5]

-   -   where r_(v)V(s)         =Σ_(i=0) ^(m)r_(v)a_(i)v_(i)(s)         , r_(w)W(s)Q=Σ_(i=0) ^(m)r_(w)a_(i)w(s)Q, r_(y)Y(s)         =Σ_(i=0) ^(m)r_(y)a_(i)y(s)         , and h(s)Q=Σ_(i=0) ^(d)h_(i)Q.

FIG. 3 illustrates an example of a circuit that represents an arithmetic function in accordance with an embodiment. The circuit shown in FIG. 3 represents the function 302:

f(a ₁ , a ₂ , a ₃ , a ₄)=a ₁ +a ₂ a ₃(a ₃ +a ₄)

In the circuit, each wire value comes from, and all operations are performed over, a prime field order field

=

_(r). The polynomials are defined in terms of their evaluation at three multiplication gates 304, 308, and 312. Addition gates 306 and 310 are modelled with their contributions to the multiplication gates. The circuit produces an output value 314.

When input values a₁, a₂, a₃, a₄ are assigned to the circuit, the worker computer system determines corresponding output values. For example, on input a₁, . . . , a₄ ∈

_(r), the worker evaluates the circuit to obtain the set (a₅, a₆, a₇) which corresponds to the output value of each multiplication gate 304, 308, and 312 (a₅, a₆, a₇ ∈

_(r)). A dummy input wire a₀ which is set to 1 is added to the circuit. For each multiplication gate 304, 308, and 312 in the circuit, distinct root values x₅, x₆, x₇ ∈

_(r) are chosen. Thus, for the circuit show in FIG. 3, we randomly select three values x₅, x₆,

and set the target polynomial t(x) to:

t(x)=(x−x ₅)(x−x ₆)(x−x ₇)

In an embodiment, polynomials {v_(i)(x)} represent the left inputs of the multiplication gates, polynomials {w_(i)(x)} represent the right inputs of the multiplication gates, and polynomials {y_(i)(x)} represent the output values of the circuit. For the example circuit show in FIG. 3, the explicit expressions of the polynomials {v_(i)(x)}, {w_(i)(x)}, {y_(i) (x)} are as follows:

Left input polynomials {v_(i)(x)}

${{v_{0}(x)} = \frac{\left( {x - x_{5}} \right)\left( {x - x_{6}} \right)}{\left( {x_{7} - x_{5}} \right)\left( {x_{7} - x_{6}} \right)}}{{v_{1}(x)} = {{v_{3}(x)} = {{v_{4}(x)} = {{v_{6}(x)} = {{v_{7}(x)} = 0}}}}}{{v_{2}(x)} = \frac{\left( {x - x_{6}} \right)\left( {x - x_{7}} \right)}{\left( {x_{5} - x_{6}} \right)\left( {x_{5} - x_{7}} \right)}}{{v_{5}(x)} = \frac{\left( {x - x_{5}} \right)\left( {x - x_{7}} \right)}{\left( {x_{6} - x_{5}} \right)\left( {x_{6} - x_{7}} \right)}}$

Right input polynomials {w_(i)(x)}

${{{w_{0}(x)} = {{w_{2}(x)} = {{w_{5}(x)} = {{w_{7}(x)} = 0}}}}{w_{1}(x)}} = \frac{\left( {x - x_{5}} \right)\left( {x - x_{6}} \right)}{\left( {x_{7} - x_{5}} \right)\left( {x_{7} - x_{6}} \right)}$ ${w_{3}(x)} = {\frac{\left( {x - x_{6}} \right)\left( {x - x_{7}} \right)}{\left( {x_{5} - x_{6}} \right)\left( {x_{5} - x_{7}} \right)} + \frac{\left( {x - x_{5}} \right)\left( {x - x_{7}} \right)}{\left( {x_{6} - x_{5}} \right)\left( {x_{6} - x_{7}} \right)}}$ ${w_{4}(x)} = \frac{\left( {x - x_{5}} \right)\left( {x - x_{7}} \right)}{\left( {x_{6} - x_{5}} \right)\left( {x_{6} - x_{7}} \right)}$ ${w_{6}(x)} = \frac{\left( {x - x_{5}} \right)\left( {x - x_{6}} \right)}{\left( {x_{7} - x_{5}} \right)\left( {x_{7} - x_{6}} \right)}$

Output polynomials {y_(i) (x)}

${{y_{0}(x)} = {{y_{1}(x)} = {{y_{2}(x)} = {{y_{3}(x)} = {{y_{4}(x)} = 0}}}}}{{y_{5}(x)} = \frac{\left( {x - x_{6}} \right)\left( {x - x_{7}} \right)}{\left( {x_{5} - x_{6}} \right)\left( {x_{5} - x_{7}} \right)}}{{y_{6}(x)} = \frac{\left( {x - x_{5}} \right)\left( {x - x_{7}} \right)}{\left( {x_{6} - x_{5}} \right)\left( {x_{6} - x_{7}} \right)}}{{y_{7}(x)} = \frac{\left( {x - x_{5}} \right)\left( {x - x_{6}} \right)}{\left( {x_{7} - x_{5}} \right)\left( {x_{7} - x_{6}} \right)}}$

In an embodiment,

and Q are generators of

₁ and

₂ such that

=

₁ and

Q

=

₂. In addition, we consider asymmetric pairing, i.e.

₁≠

₂, and

₁=E(

_(p))[r] (resp.

₂=E(

_(p) _(k) )[r]) are taken as the (order-r) subgroup of E(

_(p)) (resp. E(

_(p) _(k) )). The key generation procedure includes random elements:

-   -   r_(v), r_(w), s, a_(v), a_(w), a_(y), β,

where r_(y)=r_(v)·r_(w).

In the example illustrated in FIG. 3, the public verification key V_(K) may be determined as:

${{Public}\mspace{14mu} {Verification}\mspace{14mu} {Key}\mspace{14mu} V_{k}} = \begin{Bmatrix}  \\ Q \\ {\alpha_{v}Q} \\ {\alpha_{w}Q} \\ {\alpha_{w}} \\ {\alpha_{y}Q} \\ {\beta } \\ {\beta Q} \\ {r_{y}{t(s)}} \\ {r_{v}{v_{0}(s)}} \\ {r_{v}{v_{1}(s)}} \\ {r_{v}{v_{2}(s)}} \\ {r_{v}{v_{3}(s)}} \\ {r_{v}{v_{4}(s)}} \\ {r_{v}{v_{7}(s)}} \\ {r_{w}{w_{0}(s)}Q} \\ {r_{w}{w_{1}(s)}Q} \\ {r_{w}{w_{2}(s)}Q} \\ {r_{w}{w_{3}(s)}Q} \\ {r_{w}{w_{4}(s)}Q} \\ {r_{w}{w_{7}(s)}Q} \\ {r_{y}{y_{0}(s)}} \\ {r_{y}{y_{1}(s)}} \\ {r_{y}{y_{2}(s)}} \\ {r_{y}{y_{3}(s)}} \\ {r_{y}{y_{4}(s)}} \\ {r_{y}{y_{7}(s)}} \end{Bmatrix}$

In an embodiment, the public verification key is implemented as a sequence of bits having subsequences each representing different components, although different ways of encoding the components into the public verification key are considered as being within the scope of the present disclosure.

The proof π contains the following elements:

${{Proof}\mspace{14mu} } = \begin{Bmatrix} {{a_{5}r_{v}{v_{5}(s)}} + {a_{6}r_{v}{v_{6}(s)}}} \\ {{a_{5}\alpha_{v}r_{v}{v_{5}(s)}} + {a_{6}\alpha_{v}r_{v}{v_{6}(s)}}} \\ {{a_{5}r_{w}{w_{5}(s)}Q} + {a_{6}r_{w}{w_{6}(s)}Q}} \\ {{a_{5}\alpha_{w}r_{w}{w_{5}(s)}} + {a_{6}\alpha_{w}r_{w}{w_{6}(s)}}} \\ {{a_{5}r_{y}{y_{5}(s)}} + {a_{6}r_{y}{y_{6}(s)}}} \\ {{a_{5}\alpha_{y}r_{y}{y_{5}(s)}} + {a_{6}\alpha_{y}r_{y}{y_{6}(s)}}} \\ \begin{matrix} {{{a_{5}\left( {{r_{v}\beta {v_{5}(s)}} + {r_{w}\beta {w_{5}(s)}} + {r_{y}\beta {y_{5}(s)}}} \right)}} +} \\ {{a_{6}\left( {{r_{v}\beta {v_{6}(s)}} + {r_{w}\beta {w_{6}(s)}} + {r_{y}\beta {y_{6}(s)}}} \right)}} \end{matrix} \\ {{h_{0}Q} + {h_{1}sQ} + {h_{2}s^{2}Q} + {h_{3}s^{3}Q}} \end{Bmatrix}$

Where (h₀, h₁, h₂, h₃) are the coefficients of the polynomial h(x) evaluated by the worker, and h(x)=h₀+h₁x+h₂x²+h₃x³. In an embodiment, the proof is implemented as a sequence of bits having subsequences each representing different components of the proof, although different ways of encoding the components into the proof are considered as being within the scope of the present disclosure. The set of elements x belongs to the public evaluation key E_(K).

$\chi = \begin{Bmatrix} \; & {r_{v}{v_{i}(s)}} & \; \\ \; & {\alpha_{v}r_{v}{v_{i}(s)}} & \; \\ \; & {r_{w}w_{i}(s)Q} & \; \\ \; & {\alpha_{w}r_{w}{w_{i}(s)}} & \; \\ \; & {r_{y}{y_{i}(s)}} & \; \\ \; & {\alpha_{y}r_{y}{y_{i}(s)}} & \; \\ \; & {{\left( {{r_{v}\beta {v_{i}(s)}} + {r_{w}\beta {w_{i}(s)}} + {r_{y}\beta {y_{i}(s)}}} \right)}\;} & \; \\ \; & {sQ} & \; \\ \; & {s^{2}Q} & \; \\ \; & {s^{3}Q} & \; \end{Bmatrix}_{i = {({5,6})}}$

In an embodiment, the following equations are used for verifying an alleged proof π. Given the verification key V_(K), a proof π, and the IO values a_(i)={a₀, a₁, a₂, a₃, a₄, a₇}, the verification algorithm first checks that r_(v)V_(mid)(s)

, r_(w)W_(mid)(s)Q, and r_(y)Y_(mid)(s)

are constructed using elements from the evaluation key E_(K). That is, the protocol first verifies the following equations (1) to (3)

$\begin{matrix} {{{e\left( {{\alpha_{v}r_{v}{V_{mid}(s)}},Q} \right)} = {e\left( {{r_{v}{V_{mid}(s)}},{\alpha_{v}Q}} \right)}}{{V_{mid}(s)} = {\sum\limits_{i = {({5,6})}}{a_{i}{v_{i}(s)}}}}{{\alpha_{v}r_{v}{V_{mid}(s)}} = {{a_{5}\alpha_{v}r_{v}{v_{5}(s)}} + {a_{6}\alpha_{v}r_{v}{v_{6}(s)}}}}{{r_{v}{V_{mid}(s)}} = {{a_{5}r_{v}{v_{5}(s)}} + {a_{6}r_{v}{v_{6}(s)}}}}} & (1) \\ {{{e\left( {{\alpha_{w}r_{w}{W_{mid}(s)}},Q} \right)} = {e\left( {{\alpha_{w}},{r_{w}{W_{mid}(s)}Q}} \right)}}{{W_{mid}(s)} = {\sum\limits_{i = {({5,6})}}{a_{i}{w_{i}(s)}}}}{{\alpha_{w}r_{w}{W_{mid}(s)}} = {{a_{5}\alpha_{w}r_{w}{w_{5}(s)}} + {a_{6}\alpha_{w}r_{w}{w_{6}(s)}}}}{{r_{w}{W_{mid}(s)}Q} = {{a_{5}r_{w}{w_{5}(s)}Q} + {a_{6}r_{w}{w_{6}(s)}Q}}}} & (2) \\ {{{e\left( {{\alpha_{y}r_{y}{Y_{mid}(s)}},Q} \right)} = {e\left( {{r_{y}{Y_{mid}(s)}},{\alpha_{y}Q}} \right)}}{{Y_{mid}(s)} = {{\sum\limits_{i = {({5,6})}}{a_{i}{y(s)}\alpha_{y}r_{y}{Y_{mid}(s)}}} = {{a_{5}\alpha_{y}r_{y}{y_{5}(s)}} + {a_{6}\alpha_{y}r_{y}{y_{6}(s)}}}}}{{r_{y}{Y_{mid}(s)}} = {{a_{5}r_{y}{y_{5}(s)}} + {a_{6}r_{y}{y_{6}(s)}}}}} & (3) \end{matrix}$

Secondly, the verifying computer system checks that the same coefficients a_(mid)={a₅, a₆} are used in V_(mid)(s)

, W_(mid)(s)Q, and Y_(mid)(s)

. In an embodiment, the verifying computer system accomplishes this by verifying equation (4) below.

$\begin{matrix} {{{{e\left( {{{r_{v}{V_{mid}(s)}} + {r_{y}{Y_{mid}(s)}}},{\beta Q}} \right)} \cdot {e\left( {{\beta },{r_{w}{W_{mid}(s)}Q}} \right)}} = {e\left( {{{Z_{mid}(s)}},Q} \right)}}{{Z_{mid}(s)} = {{\sum\limits_{i = {({5,6})}}{a_{i}\left( {{r_{v}\beta {v_{i}(s)}} + {r_{w}\beta {w_{i}(s)}} + {r_{y}\beta {y_{i}(s)}}} \right)}} = {{{a_{5}\left( {{r_{v}\beta {v_{5}(s)}} + {r_{w}\beta {w_{5}(s)}} + {r_{y}\beta {y_{5}(s)}}} \right)}} + {{a_{6}\left( {{r_{v}\beta {v_{6}(s)}} + {r_{w}\beta {w_{6}(s)}} + {r_{y}\beta {y_{6}(s)}}} \right)}}}}}} & (4) \end{matrix}$

In addition, the verifying computer system combines the terms from the commitments to perform the divisibility check on the proof term h(x). Namely, the verifying computer system proves that

${{t(s)} \cdot {h(s)}} = {{\left( {\sum\limits_{i = 0}^{7}{a_{i}{v_{i}(s)}}} \right) \cdot \left( {\sum\limits_{i = 0}^{7}{a_{i}{w_{i}(s)}}} \right)} - \left( {\sum\limits_{i = 0}^{7}{a_{i}{y_{i}(s)}}} \right)}$

by confirming the following.

$\begin{matrix} {{{e\left( {{r_{v}{V(s)}},\ {r_{w}{W(s)}Q}} \right)} = {{e\left( {{r_{y}{Y(s)}},Q} \right)} \cdot {e\left( {{r_{y}{t(s)}},{{h(s)}Q}} \right)}}}{{r_{v}{V(s)}} = {\sum\limits_{i = 0}^{7}{r_{v}a_{i}{v_{i}(s)}}}}{{r_{w}{W(s)}Q} = {\sum\limits_{i = 0}^{7}{r_{w}a_{i}{w(s)}Q}}}{{r_{y}{Y(s)}} = {\sum\limits_{i = 0}^{7}{r_{y}a_{i}{y(s)}}}}{{{h(s)}Q} = {\sum\limits_{i = 0}^{3}{h_{i}Q}}}} & (5) \end{matrix}$

FIG. 4 is a flowchart that illustrates an example of a process that, if performed by a client computer system, determines a verification key V_(K) in accordance with an embodiment. Some or all of a process 400 (or any other processes described, or variations and/or combinations of those processes) can be performed under the control of one or more computer systems configured with executable instructions and/or other data, and may be implemented as executable instructions executing collectively on one or more processors. The executable instructions and/or other data can be stored on a non-transitory computer-readable storage medium (e.g., a computer program persistently stored on magnetic, optical, or flash media).

For example, some or all of process 400 can be performed by one or more computing devices (e.g., by a server in a data centre, by a client computing device, by multiple computing devices in a distributed system of a computing resource service provider, or by any suitable electronic client device such as the computing device 600 of FIG. 6).

In various embodiments, the client computer system submits a calculation to be performed by a worker computer system. The worker computer system may not be fully trusted by the client computer system, and therefore, the worker computer system provides information that allows the client computer system or another trusted verification computer system to verify that the calculation performed by the worker computer system is correct. In many examples, the client does not fully trust the worker computer system, and therefore, in order to satisfy the client computer system, the worker computer system provides information to the client computer system that allows the client computer system to prove that the computation performed by the worker computer system was correct. In various embodiments, public verification key parameters V_(K), the proof π, and the I/O data are used to verify the alleged proof of correct computation provided by the worker computer system. The flowchart 400 illustrates a process for generating the verification key V_(K).

In an embodiment, at block 402, the client computer system identifies a function F to be performed by an untrusted worker computer system. The function F takes n values as input. The client computer system generates a model of a circuit corresponding to the function, where the circuit is comprised of a set of multiplication gates and addition gates. At block 404, the client computer system identifies the multiplication gates in the circuit.

In an embodiment, at block 406, the client computer system randomly chooses root values that correspond to the output of each multiplication gate in the circuit. In a circuit that has m multiplication gates, the client computer system chooses m root values (x_(n+1) . . . x_(n+m)).

In an embodiment, at block 408, the client computer system determines a target polynomial t(x)=(x-x_(n))(x-x_(n+1)) . . . (x-x_(n+m)) corresponding to the circuit using the chosen root values (x_(n+1) . . . x_(n+m)). At block 410, the client computer system determines the left inputs of the multiplication gates {v_(i)(x)}, the right inputs of the multiplication gates {w_(i)(x)}, and output values {y_(i)(x)} of the multiplication gates.

In an embodiment, at block 412, the client computer system selects random elements for degeneration r_(v),r_(w),s,a_(v),a_(w),a_(y),β,γ from a field of prime order r such that r_(y)=•r_(w).

In an embodiment, at block 414, the client computer system determines the public verification key V_(K). Let

and Q be generators of

₁ and

₂ such that

=

₁ and

Q

=

₂. It should be noted that (i) we consider asymmetric pairing, i.e.

₁≠

₂ and (ii)

_(i)=E(

_(p)) [r] (resp.

₂=E (

_(p) _(k) )[r]) are taken as the (order-r) subgroup of E(

_(p)) (resp. E(

_(p) _(k) )). Given generators

=

₁ and

Q

=

₂, the verification key V_(K) generated using random r_(v), r_(w), r_(y)=r_(v)·s, a_(v), a_(w), a_(y), β,γ ∈

_(r) is as follows:

${{Public}\mspace{14mu} {Verification}\mspace{14mu} {Key}\mspace{14mu} V_{K}} = \begin{Bmatrix}  \\ Q \\ {\alpha_{v}Q} \\ {\alpha_{w}Q} \\ {\alpha_{w}} \\ {\alpha_{y}Q} \\ {\beta } \\ {\beta Q} \\ {r_{y}{t(s)}} \\ {r_{v}{v_{i}(s)}} \\ {r_{w}{w_{i}(s)}Q} \\ {r_{y}{y_{i}(s)}} \end{Bmatrix}_{i = {0{\ldots N}}}$

Note that one or more of the operations performed in 202-214 may be performed in various orders and combinations, including in parallel.

Note that, in the context of describing disclosed embodiments, unless otherwise specified, use of expressions regarding executable instructions (also referred to as code, applications, agents, etc.) performing operations that “instructions” do not ordinarily perform unaided (e.g., transmission of data, calculations, etc.) denote that the instructions are being executed by a machine, thereby causing the machine to perform the specified operations.

FIG. 5 is a flowchart that illustrates an example of a process that, if performed by a client computer system, verifies a computation performed by a worker computer system using Proof π in accordance with an embodiment. Some or all of a process 500 (or any other processes described, or variations and/or combinations of those processes) can be performed under the control of one or more computer systems configured with executable instructions and/or other data, and may be implemented as executable instructions executing collectively on one or more processors. The executable instructions and/or other data can be stored on a non-transitory computer-readable storage medium (e.g., a computer program persistently stored on magnetic, optical, or flash media).

For example, some or all of process 500 can be performed by one or more computing devices (e.g., by a server in a data centre, by a client computing device, by multiple computing devices in a distributed system of a computing resource service provider, or by any suitable electronic client device such as the computing device 600 of FIG. 6).

In various embodiments, the client computer system submits a calculation to be performed by a worker computer system. The worker computer system may not be fully trusted by the client computer system, and therefore, the worker computer system provides information that allows the client computer system or another trusted verification computer system to verify that the calculation performed by the worker computer system is correct. In many examples, the client does not fully trust the worker computer system, and therefore, in order to satisfy the client computer system, the worker computer system provides information to the client computer system that allows the client computer system to prove that the computation performed by the worker computer system was correct. In various embodiments, public verification key parameters V_(K), the proof π, and the I/O data are used to verify the alleged proof of correct computation provided by the worker computer system. The flowchart 500 illustrates a process for verifying the calculation performed by the worker computer system using the proof it provided by the worker computer system.

In an embodiment, at block 502, the client computer system receives the proof π and the I/O data from the worker computer system. The proof comprises the following:

${{Proof}\mspace{14mu} } = \begin{Bmatrix} {\sum_{i = N + 1}^{m}{a_{i}r_{v}{v_{i}(s)}}} & \; \\ {\sum_{i = N + 1}^{m}{a_{i}\alpha_{v}r_{v}{v_{i}(s)}}} & \; \\ {\sum_{i = N + 1}^{m}a_{i}r_{w}w_{i}(s)Q} & \; \\ {\sum_{i = N + 1}^{m}{a_{i}\alpha_{w}r_{w}{w_{i}(s)}}} & \; \\ {\sum_{i = N + 1}^{m}{a_{i}r_{y}{y_{i}(s)}}} & \; \\ {\sum_{i = N + 1}^{m}{a_{i}\alpha_{y}r_{y}{y_{i}(s)}}} & \; \\ {\sum_{i = {N + 1}}^{m}{a_{i}\left( {r_{v}\beta {v_{i}\left( {\left. s \right) + {r_{w}\beta {w_{i}(s)}} + {r_{y}\beta {y_{i}(s)}}} \right)}} \right.}} & \; \\ {\sum_{i = 0}^{d}h_{i}s^{i}Q} & \; \end{Bmatrix}$

In an embodiment, at block 504, the client computer system begins the process of confirming that the work performed by the worker computer system is correct. The client computer system confirms that r_(v)V_(mid)(s)P,r_(w)W_(mid)(s)Q and r_(y)Y_(mid)(s)P are constructed using elements from the evaluation key E_(K) as follows:

(α_(v) r _(v) V _(mid)(s)

, Q)=e(r _(v) V _(mid)(s)

, α_(v) Q)

e(α_(w) r _(w) W _(mid)(s)

, Q)=e(α_(w)

, r_(w)W_(mid)(s)Q)

e(α_(y) r _(y) Y _(mid)(s)

, Q)=e(r _(y) Y _(mid)(s)

, α_(y) Q)

where V_(mid)(s)=Σ_(i=N+1) ^(m)=a_(i)v_(i)(s) W_(mid)(s)=Σ_(i=N+1) ^(m)a_(i)w_(i)(s), and Y_(mid)(s)=Σ_(i=N+1) ^(m)a_(i)y_(i)(s).

At block 506, the client computer system confirms that matching coefficients are used for Vmid(s)P, Wmid(s)Q and Ymid(s)P as follows:

e(r _(v) V _(mid)(s)

+r _(y) Y _(mid)(s)

, βQ)·e(β

, r _(w) W _(mid)(s)Q)=e(Z _(mid)(s)

, Q)

-   -   and Z_(mid)(s)=Σ_(i=N+1) ^(m)a_(i)(r_(v)βv_(i)(s)+r_(w)βw_(i)(s)         r_(y)βy_(i)(s)).

At block 508, the client computer system combines the terms from the commitments to perform the divisibility check on the proof term h(x) as follows:

e(r _(v)V(s)

, r _(w) W(s)Q)=e(r _(y) Y(s)

, Q)·e(r _(y) t(s)

, h(s)Q)

-   -   where r_(v)V(s)         =Σ_(i=0) ^(m)r_(v)a_(i)v_(i)(s)         , r_(w)W(s)Q=Σ_(i=N+1) ^(m)a_(i)w(s)Q, r_(y)Y(s)         =Σ_(i=0) ^(m)(s)         , and h(s)Q=Σ_(i=0) ^(d)h_(i)Q.

If the above checks are successful, the client computer system determines that the calculations performed by the worker computer system are correct and the results provided by the work computer system can be trusted by the client computer system.

Note that one or more of the operations performed in 502-508 may be performed in various orders and combinations, including in parallel.

Note that, in the context of describing disclosed embodiments, unless otherwise specified, use of expressions regarding executable instructions (also referred to as code, applications, agents, etc.) performing operations that “instructions” do not ordinarily perform unaided (e.g., transmission of data, calculations, etc.) denote that the instructions are being executed by a machine, thereby causing the machine to perform the specified operations.

The present document describes systems and methods that enhance and expand the capabilities of a blockchain. Various embodiments allow a user to securely list and exchange rights over a public blockchain, and to integrate nearly complete anonymous digital transactions. Various embodiments may be used to provide solutions to (i) the common reference string (CRS) and the worker's proof (it) storage problems, (ii) the interaction between the unlocking script and CRS, and the unlocking script and π.

Various embodiments may be used to provide a secure, compact representation of smart contracts: Smart contracts may follow formatting conventions using special languages such as the XML-derivative, FpML. Various embodiments may be used to outsource contract executions to untrusted parties, or to publicly verify the correctness of contract execution. Contract validations may not imply code re-execution. Computations may not be replicated by every node in the network. In some embodiments, proofs of honest execution are stored in the public blockchain and used for validation purposes.

FIG. 6 is an illustrative, simplified block diagram of a computing device 600 that can be used to practice at least one embodiment of the present disclosure. In various embodiments, the computing device 600 can be used to implement any of the systems illustrated and described above. For example, the computing device 600 can be configured for use as a data server, a web server, a portable computing device, a personal computer, or any electronic computing device. As shown in FIG. 6, the computing device 600 could include one or more processors 602 that, in embodiments, communicate with and are operatively coupled to a number of peripheral subsystems via a bus subsystem 604. In some embodiments, these peripheral subsystems include a storage subsystem 606 comprising a memory subsystem 608 and a file/disk storage subsystem 610, one or more user interface input devices 612, one or more user interface output devices 614, and a network interface subsystem 616. Such storage subsystem 606 could be used for temporary or long-term storage of information.

In some embodiments, the bus subsystem 604 provides a mechanism for enabling the various components and subsystems of computing device 600 to communicate with each other as intended. Although the bus subsystem 604 is shown schematically as a single bus, alternative embodiments of the bus subsystem utilize multiple busses. In some embodiments, the network interface subsystem 616 provides an interface to other computing devices and networks. The network interface subsystem 616, in some embodiments, serves as an interface for receiving data from and transmitting data to other systems from the computing device 600. In some embodiments, the bus subsystem 604 is utilised for communicating data such as details, search terms, and so on.

In some embodiments, the user interface input devices 612 includes one or more user input devices such as a keyboard; pointing devices such as an integrated mouse, trackball, touchpad, or graphics tablet; a scanner; a barcode scanner; a touch screen incorporated into the display; audio input devices such as voice recognition systems, microphones; and other types of input devices. In general, use of the term “input device” is intended to include all possible types of devices and mechanisms for inputting information to the computing device 600. In some embodiments, the one or more user interface output devices 614 include a display subsystem, a printer, or non-visual displays such as audio output devices, etc. In some embodiments, the display subsystem includes a cathode ray tube (CRT), a flat-panel device such as a liquid crystal display (LCD), light emitting diode (LED) display, or a projection or other display device. In general, use of the term “output device” is intended to include all possible types of devices and mechanisms for outputting information from the computing device 600. The one or more user interface output devices 614 can be used, for example, to present user interfaces to facilitate user interaction with applications performing processes described and variations therein, when such interaction may be appropriate.

In some embodiments, the storage subsystem 606 provides a computer-readable storage medium for storing the basic programming and data constructs that provide the functionality of at least one embodiment of the present disclosure. The applications (programs, code modules, instructions), when executed by one or more processors in some embodiments, provide the functionality of one or more embodiments of the present disclosure and, in embodiments, are stored in the storage subsystem 606. These application modules or instructions can be executed by the one or more processors 602. In various embodiments, the storage subsystem 606 additionally provides a repository for storing data used in accordance with the present disclosure. In some embodiments, the storage subsystem 606 comprises a memory subsystem 608 and a file/disk storage subsystem 610.

In embodiments, the memory subsystem 608 includes a number of memories, such as a main random access memory (RAM) 618 for storage of instructions and data during program execution and/or a read only memory (ROM) 620, in which fixed instructions can be stored. In some embodiments, the file/disk storage subsystem 610 provides a non-transitory persistent (non-volatile) storage for program and data files and can include a hard disk drive, a floppy disk drive along with associated removable media, a Compact Disk Read Only Memory (CD-ROM) drive, an optical drive, removable media cartridges, or other like storage media.

In some embodiments, the computing device 600 includes at least one local clock 624. The local clock 624, in some embodiments, is a counter that represents the number of ticks that have transpired from a particular starting date and, in some embodiments, is located integrally within the computing device 600. In various embodiments, the local clock 624 is used to synchronize data transfers in the processors for the computing device 600 and the subsystems included therein at specific clock pulses and can be used to coordinate synchronous operations between the computing device 600 and other systems in a data centre. In another embodiment, the local clock is a programmable interval timer.

The computing device 600 could be of any of a variety of types, including a portable computer device, tablet computer, a workstation, or any other device described below.

Additionally, the computing device 600 can include another device that, in some embodiments, can be connected to the computing device 600 through one or more ports (e.g., USB, a headphone jack, Lightning connector, etc.). In embodiments, such a device includes a port that accepts a fibre-optic connector. Accordingly, in some embodiments, this device is that converts optical signals to electrical signals that are transmitted through the port connecting the device to the computing device 600 for processing. Due to the ever-changing nature of computers and networks, the description of the computing device 600 depicted in FIG. 6 is intended only as a specific example for purposes of illustrating the preferred embodiment of the device. Many other configurations having more or fewer components than the system depicted in FIG. 6 are possible.

The specification and drawings are, accordingly, to be regarded in an illustrative rather than a restrictive sense. However, it will be evident that various modifications and changes may be made thereunto without departing from the scope of the invention as set forth in the claims. Likewise, other variations are within the scope of the present disclosure. Thus, while the disclosed techniques are susceptible to various modifications and alternative constructions, certain illustrated embodiments thereof are shown in the drawings and have been described above in detail. It should be understood, however, that there is no intention to limit the invention to the specific form or forms disclosed but, on the contrary, the intention is to cover all modifications, alternative constructions and equivalents falling within the scope of the invention, as defined in the appended claims.

The use of the terms “a” and “an” and “the” and similar referents in the context of describing the disclosed embodiments (especially in the context of the following claims) is to be construed to cover both the singular and the plural, unless otherwise indicated or clearly contradicted by context. The terms “comprising”, “having”, “including”, and “containing” are to be construed as open-ended terms (i.e., meaning “including, but not limited to”) unless otherwise noted. The term “connected”, when unmodified and referring to physical connections, is to be construed as partly or wholly contained within, attached to or joined together, even if there is something intervening. Recitation of ranges of values in the present disclosure are merely intended to serve as a shorthand method of referring individually to each separate value falling within the range unless otherwise indicated and each separate value is incorporated into the specification as if it were individually recited. The use of the term “set” (e.g., “a set of items”) or “subset”, unless otherwise noted or contradicted by context, is to be construed as a nonempty collection comprising one or more members. Further, unless otherwise noted or contradicted by context, the term “subset” of a corresponding set does not necessarily denote a proper subset of the corresponding set, but the subset and the corresponding set may be equal.

Conjunctive language, such as phrases of the form “at least one of A, B, and C”, or “at least one of A, B and C”, unless specifically stated otherwise or otherwise clearly contradicted by context, is otherwise understood with the context as used in general to present that an item, term, etc., could be either A or B or C, or any nonempty subset of the set of A and B and C. For instance, in the illustrative example of a set having three members, the conjunctive phrases “at least one of A, B, and C” and “at least one of A, B and C” refer to any of the following sets: {A}, {B}, {C}, {A, B}, {A, C}, {B, C}, {A, B, C}. Thus, such conjunctive language is not generally intended to imply that certain embodiments require at least one of A, at least one of B and at least one of C each to be present.

Operations of processes described can be performed in any suitable order unless otherwise indicated or otherwise clearly contradicted by context. Processes described (or variations and/or combinations thereof) can be performed under the control of one or more computer systems configured with executable instructions and can be implemented as code (e.g., executable instructions, one or more computer programs or one or more applications) executing collectively on one or more processors, by hardware or combinations thereof. In some embodiments, the code can be stored on a computer-readable storage medium, for example, in the form of a computer program comprising a plurality of instructions executable by one or more processors. In some embodiments, the computer-readable storage medium is non-transitory.

The use of any and all examples, or exemplary language (e.g., “such as”) provided, is intended merely to better illuminate embodiments of the invention and does not pose a limitation on the scope of the invention unless otherwise claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the invention.

Embodiments of this disclosure are described, including the best mode known to the inventors for carrying out the invention. Variations of those embodiments will become apparent to those of ordinary skill in the art upon reading the foregoing description. The inventors expect skilled artisans to employ such variations as appropriate and the inventors intend for embodiments of the present disclosure to be practiced otherwise than as specifically described. Accordingly, the scope of the present disclosure includes all modifications and equivalents of the subject matter recited in the claims appended hereto as permitted by applicable law. Moreover, any combination of the above-described elements in all possible variations thereof is encompassed by the scope of the present disclosure unless otherwise indicated or otherwise clearly contradicted by context. All references, including publications, patent applications, and patents, cited are hereby incorporated by reference to the same extent as if each reference were individually and specifically indicated to be incorporated by reference and were set forth in its entirety.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be capable of designing many alternative embodiments without departing from the scope of the invention as defined by the appended claims. In the claims, any reference signs placed in parentheses shall not be construed as limiting the claims. The word “comprising” and “comprises”, and the like do not exclude the presence of elements or steps other than those listed in any claim or the specification as a whole. In the present specification, “comprises” means “includes or consists of” and “comprising” means “including or consisting of”. The singular reference of an element does not exclude the plural reference of such elements and vice-versa. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a device claim enumerating several means, several of these means can be embodied by one and the same item of hardware.

The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Summary

Techniques described and suggested in the present disclosure improve the field of computing, specifically the field of confirming the correctness of a computation performed by a third party computer system, by verifying a proof π provided by the 3^(rd) party using a public verification key parameter VK and I/O data. Additionally, techniques described and suggested in the present disclosure improve the functioning of computing systems by allowing computations to be distributed across a network of untrusted 3^(rd) party computer systems. Moreover, techniques described and suggested in the present disclosure are necessarily rooted in computer technology in order to overcome problems specifically arising with verifying performance of a digital contract by modeling a contract as a logical circuit. 

1. A computer-implemented method comprising: providing a task to a set of independent computer systems which are able to compete to provide outcome of the provided task, the task specifying a computation to perform; and verifying, at a verifying computer system, that the computation is correctly performed by a worker computer system in the set of independent computer systems, the computation based on a circuit having a set of multiplication gates, by at least: generating an evaluation key; providing the evaluation key to the worker computer system; receiving a proof from the worker computer system, the proof based at least in part on the evaluation key; generating a verification key; and verifying that the computation is correct using the proof and the verification key.
 2. The computer-implemented method claimed in claim 1, wherein the verification key is based on inputs to the set of multiplication gates and outputs of the set of multiplication gates.
 3. The computer-implemented method claimed in claim 1, wherein the proof is based at least in part on a set of intermediate outputs of the set of multiplication gates.
 4. The computer-implemented method claimed in claim 1, wherein the proof is based at least in part on a public evaluation key.
 5. The computer-implemented method claimed in claim 1, wherein the proof and the verification key are based at least in part on a first generator and a second generator that generate different groups.
 6. The computer-implemented method claimed in claim 1, further comprising verifying that elements of the proof are consistent with elements of the evaluation key.
 7. The computer-implemented method claimed in claim 1, further comprising verifying that elements of the proof are constructed using matching coefficients.
 8. The computer-implemented method claimed in claim 1, further comprising verifying a divisibility requirement on a term of the proof.
 9. The computer-implemented method claimed in claim 1, wherein the worker computer system provides a set of I/O values corresponding to input and output values of the circuit.
 10. The computer-implemented method claimed in claim 1, wherein the circuit includes one or more addition gates which are modelled with their contributions to the multiplication gates.
 11. The computer-implemented method claimed in claim 1, wherein the computation is part of a bitcoin transaction validation.
 12. The computer-implemented method claimed in claim 1, wherein verifying that the computation is correct is accomplished by at least: providing the proof, the verification key, and a set of I/O values to a verification computer system; and receiving an indication from the verification computer system that the computation is correct.
 13. The computer-implemented method claimed in claim 1, wherein the verification computer system is a blockchain node.
 14. A system, comprising: a processor; and memory including executable instructions that, as a result of being executed by the processor, causes the system to perform the computer-implemented method of claim
 1. 15. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by a processor of a computer system, cause the computer system to at least perform the computer-implemented method of claim
 1. 16. A system, comprising: a processor; and memory including executable instructions that, as a result of being executed by the processor, causes the system to perform the computer-implemented method of claim
 2. 17. A system, comprising: a processor; and memory including executable instructions that, as a result of being executed by the processor, causes the system to perform the computer-implemented method of claim
 3. 18. A system, comprising: a processor; and memory including executable instructions that, as a result of being executed by the processor, causes the system to perform the computer-implemented method of claim
 4. 19. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by a processor of a computer system, cause the computer system to at least perform the computer-implemented method of claim
 2. 20. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by a processor of a computer system, cause the computer system to at least perform the computer-implemented method of claim
 3. 